Rather than putting all rules into libvirt's main private chains, create
a private chain per network. This will make it easier for administrators
to use hooks to customize the chains per network.
For the LIBVIRT_INP, LIBVIRT_OUT, LIBVIRT_FWO and LIBVIRT_FWI chains
it is also possible to set interface name matches on the jumps to the
per-network chains. This will result in fewer iptables rules being
evaluated per packet when lots of networks are running.
We thus end up with the following chains
INPUT --> LIBVIRT_INP +-> LIBVIRT_INP_virbr0 (filter)
+-> LIBVIRT_INP_virbr1
| ...
\-> LIBVIRT_INP_virbrN
OUTPUT --> LIBVIRT_OUT +-> LIBVIRT_OUT_virbr0 (filter)
+-> LIBVIRT_INP_virbr1
| ...
\-> LIBVIRT_INP_virbrN
FORWARD +-> LIBVIRT_FWX +-> LIBVIRT_FWX_virbr0 (filter)
| +-> LIBVIRT_INP_virbr1
| | ...
| \-> LIBVIRT_INP_virbrN
|
+-> LIBVIRT_FWO +-> LIBVIRT_FWO_virbr0 (filter)
| +-> LIBVIRT_INP_virbr1
| | ...
| \-> LIBVIRT_INP_virbrN
|
\-> LIBVIRT_FWI +-> LIBVIRT_FWI_virbr0 (filter)
+-> LIBVIRT_INP_virbr1
| ...
\-> LIBVIRT_INP_virbrN
POSTROUTING --> LIBVIRT_PRT +-> LIBVIRT_PRT_virbr0 (nat & mangle)
+-> LIBVIRT_INP_virbr1
| ...
\-> LIBVIRT_INP_virbrN
Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
src/libvirt_private.syms | 2 +
src/network/bridge_driver_linux.c | 5 +
src/util/viriptables.c | 85 ++++++++++++++++
src/util/viriptables.h | 2 +
.../nat-default-linux.args | 98 +++++++++++++++++++
.../nat-ipv6-linux.args | 98 +++++++++++++++++++
.../nat-many-ips-linux.args | 98 +++++++++++++++++++
.../nat-no-dhcp-linux.args | 98 +++++++++++++++++++
.../nat-tftp-linux.args | 98 +++++++++++++++++++
.../route-default-linux.args | 98 +++++++++++++++++++
10 files changed, 682 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 8ab09a522c..8f7f166aef 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2072,7 +2072,9 @@ iptablesRemoveTcpInput;
iptablesRemoveUdpInput;
iptablesRemoveUdpOutput;
iptablesSetDeletePrivate;
+iptablesSetupLocalChains;
iptablesSetupPrivateChains;
+iptablesTeardownLocalChains;
# util/viriscsi.h
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 571077d83a..4777e9efc4 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -672,6 +672,9 @@ int networkAddFirewallRules(virNetworkDefPtr def)
virFirewallPtr fw = NULL;
int ret = -1;
+ if (iptablesSetupLocalChains(def->bridge) < 0)
+ return -1;
+
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
@@ -714,6 +717,8 @@ void networkRemoveFirewallRules(virNetworkDefPtr def)
virNetworkIPDefPtr ipdef;
virFirewallPtr fw = NULL;
+ iptablesTeardownLocalChains(def->bridge);
+
fw = virFirewallNew();
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 668967fcc5..53d0568a84 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -183,6 +183,91 @@ iptablesSetupPrivateChains(void)
}
+static int
+iptablesLocalChainsManage(int action,
+ const char *iface)
+{
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ struct {
+ virFirewallLayer layer;
+ const char *table;
+ const char *parent;
+ } chains[] = {
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_INP"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_OUT"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_FWO"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_FWI"},
+ {VIR_FIREWALL_LAYER_IPV4, "filter", "LIBVIRT_FWX"},
+ {VIR_FIREWALL_LAYER_IPV4, "nat", "LIBVIRT_PRT"},
+ {VIR_FIREWALL_LAYER_IPV4, "mangle", "LIBVIRT_PRT"},
+
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_INP"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_OUT"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_FWO"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_FWI"},
+ {VIR_FIREWALL_LAYER_IPV6, "filter", "LIBVIRT_FWX"},
+ {VIR_FIREWALL_LAYER_IPV6, "nat", "LIBVIRT_PRT"},
+ {VIR_FIREWALL_LAYER_IPV6, "mangle", "LIBVIRT_PRT"},
+ };
+ size_t i;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, action == ADD ? 0 :
+ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
+ for (i = 0; i < ARRAY_CARDINALITY(chains); i++) {
+ char *child;
+ if (virAsprintf(&child, "%s_%s", chains[i].parent, iface) < 0)
+ goto cleanup;
+
+ if (action == ADD) {
+ virFirewallAddRule(fw, chains[i].layer,
+ "--table", chains[i].table,
+ "--new-chain", child, NULL);
+ virFirewallAddRule(fw, chains[i].layer,
+ "--table", chains[i].table,
+ "--insert", chains[i].parent,
+ "--jump", child, NULL);
+ } else {
+ virFirewallAddRule(fw, chains[i].layer,
+ "--table", chains[i].table,
+ "--delete", chains[i].parent,
+ "--jump", child, NULL);
+ virFirewallAddRule(fw, chains[i].layer,
+ "--table", chains[i].table,
+ "--flush", child, NULL);
+ virFirewallAddRule(fw, chains[i].layer,
+ "--table", chains[i].table,
+ "--delete-chain", child, NULL);
+ }
+ }
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+int
+iptablesSetupLocalChains(const char *iface)
+{
+ return iptablesLocalChainsManage(ADD, iface);
+}
+
+
+int
+iptablesTeardownLocalChains(const char *iface)
+{
+ return iptablesLocalChainsManage(REMOVE, iface);
+}
+
+
void
iptablesSetDeletePrivate(bool pvt)
{
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index d50158a59e..8eb884aa9f 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -28,6 +28,8 @@
# include "virfirewall.h"
int iptablesSetupPrivateChains (void);
+int iptablesSetupLocalChains (const char *iface);
+int iptablesTeardownLocalChains (const char *iface);
void iptablesSetDeletePrivate (bool pvt);
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
index c9d523d043..8efc415bee 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,5 +1,103 @@
iptables \
--table filter \
+--new-chain LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+iptables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+ip6tables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
index a57b9266af..a72efecc49 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,5 +1,103 @@
iptables \
--table filter \
+--new-chain LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+iptables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+ip6tables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
index 1bdc43fd6a..5094d6793b 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,5 +1,103 @@
iptables \
--table filter \
+--new-chain LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+iptables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+ip6tables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
index 7d359f3824..3b870a0a02 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,5 +1,103 @@
iptables \
--table filter \
+--new-chain LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+iptables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+ip6tables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
index b721801b70..f002f0add9 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,5 +1,103 @@
iptables \
--table filter \
+--new-chain LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+iptables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+ip6tables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
index ed3c560f74..783e803dff 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,5 +1,103 @@
iptables \
--table filter \
+--new-chain LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+iptables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+iptables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+iptables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+iptables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_INP \
+--jump LIBVIRT_INP_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_OUT \
+--jump LIBVIRT_OUT_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWO \
+--jump LIBVIRT_FWO_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWI \
+--jump LIBVIRT_FWI_virbr0
+ip6tables \
+--table filter \
+--new-chain LIBVIRT_FWX_virbr0
+ip6tables \
+--table filter \
+--insert LIBVIRT_FWX \
+--jump LIBVIRT_FWX_virbr0
+ip6tables \
+--table nat \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table nat \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--new-chain LIBVIRT_PRT_virbr0
+ip6tables \
+--table mangle \
+--insert LIBVIRT_PRT \
+--jump LIBVIRT_PRT_virbr0
+iptables \
+--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--
2.19.2
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
